Copy exploit and ethical release of information

I'm reposting this from the Linden forum (/invalid_link.html) because I'm getting no response form Linden and normal users cannot reply. What should I do? Linden is ignoring me. This is an exploitable bug... what do I do?

--- Repost ----
Nearly 48 [edit: now 64+] hours ago I submitted a bug report that included what I think is a no-copy exploit. By exploiting this bug someone can copy no-copy items if the creator packaged and transferred their item in a certain manner. I think this has the potential to be a dangerous exploit depending on how many creators package their items in this manner (I have no idea how many have). I've received no response from Linden (other then the automated "consider the matter resolved" email). Without a response or a fix I take this to mean that they don't consider this a bug. Since I consider this type of thing dangerous I think content creators should be warned of the potential to inadvertently allow others to copy no-copy items. How long should I wait for Linden to respond this before I warn the public (if ever)?

LL takes copy exploits very seriously. You need to privately supply LL with enough info that they can reproduce the exploit/bug. Don't tell anyone else or other people may figure out how it's done before LL can fix it. They don't ignore things like this.

You're not alone in this sentiment. The general concensus I have seen is that the permissions system needs to be fixed in a manner that works for everyone, as opposed to it's current form that tends to be misleading in several ways.

Unfortunately, bringing the issue to the forums has historically lead to flame wars regarding theft and some pretty direct attacks (which I may be bringing upon myself for mentioning here).

The best course of action at present would be to raise awareness of the issue in-world and to attempt to lobby the Lindens directly, as the forums are only frequented by a small percentage of the population. Plus, we've been told here that overhauling the permissions system is currently a low priority, whereas nagging exploits are slammed immediately.

Edit: And yes, if it's a new exploit (other than the known "flaws", take it to them immediately and in private, as Chip has mentioned.

Thanks for the responses. I defiantly prefer to keep this quite until Linden fixes it but I'm not getting any response form them through the "Hotline to Linden" forum or my bug submission. For know I'll wait and ignore the in-game IMs I'm receiving. But if Linden is serious about fixing these then before too long I'm going to have to assume that Linden considers it a feature rather then a exploitable bug. In which case it should be documented as what not to do as it is easy to do by mistake.

Set the information free!

I'd recommend contacting Kona Linden directly. He's very friendly and loves people who can demonstrate solid repros on bugs.

-Flip

I've also found that going through the prescribed channels for reporting bugs is woefully inadequate for serious issues.

I second Flipper's advice to take it directly to a Linden. Brent Linden has stated in the past that you should IM him directly if the bug is serious enough.

I imagine if you contact the right person, they'll take it seriously and escalate it properly. However, don't be suprised if it's the first time they've heard of the problem even after you reported it properly.

I'd love to demonstrate this to a Linden but unfortunately I am only in SL in the evenings and the number of lindens in game are quite low at that point. I did talk to a Linden last night (sorry I forgot the name) and she said basically that just because I haven't heard anything that doesn't mean they are not working on it and if I want to follow up send an e-mail to tech support. I'm awfully surprised that they are not responding.

With the amount of bug reports and abuse reports received, its simply not possible to reply to each one. In a typical week, I normally file 2 or 3 bug reports, so I can understand why.

Regards,

-Flip

A liaison failed to escalate a far more serious bug that was reported, sending an email instead of getting someone on the phone. I don't know whether that was a one-time lapse, or an unfavorable indication of LL's safety culture.

Qubius:

Please contact me inworld. Just because a Linden isn't online doesn't mean they don't get their IM's I'm all too willing to help out even on off hours. Find > People > Brent Linden. I'd like to see this in action. We are actively fixing a few other exploits that may be the same as this, however I still want to verify the bug with you, thanks!

In the future please privately submit exploit bugs to a Linden who is an officer in the Bug Hunters group. That's the best way to get those *serious* bugs checked out.

Brent

Here's my reply to this copy 'exploit':

I was told this isn't getting fixed 'soon', because its a big change to the way permissions are applied. The workaround is not to apply permissions via the Inventory (since next-owner permissions are applied when objects are rezzed). Or apply the permissions in your inventory, drop the object, and Take it again. We do not consider it an exploit because you (as the creator of the objects) have the ability to set them properly.

In the Debug menu, check "Debug Permissions". Then go through your repro until you rez the object. In you inventory, open the Properties of that object. Then check the N: permissions. Notice there is an asterisk '*'. That means the permissions will be set on the next rez.

I'm sorry if this explanation isn't to your liking. I was informed that this issue has been around for a while. Since it hasn't caused a public outcry, we're holding off on patching it up until we can really fix it (and permissions in general).

If you have further questions please let me know, and thanks again for trying to help us nab the bugs!

---

I'd like to add that the only 'quick-fix' I can think of for this would be to disallow setting object permissions in the Inventory's Properties floater. I think that's a bad idea, and that you all would throw various tortured torii my way for even suggesting such a thing.

So if you'll all just stand over here while I pull out this red, blinky thing...

Well then stop filing 'em!

Geez

Brent, I have read through your post and found it a little confusing. Do you need to know what the 'exploit' is to be able to understand the 'fix'?

Ah, yes, sorry. Since it's not really an exploit and more an undesired/unexpected result I think full disclosure on it is a good idea!

- Create an object and set it to no-copy via the Edit floater.
- Take it.
- Create a cube prim (box) and drop the object into the box.
- Take the box.
- Right click the box in your Inventory and choose 'Properties'.
- Set it to fully-permissive (modify/copy/transfer). Close the Properties floater.
- Give the object to a friend.
* They will notice they can rez multiple copies of the object, even though the permissions should be (no copy) on the container object. The container should inherit the permissions of the least-permissive asset within it. Technically it does, but those permissions are not applied until it is rezzed.
* They will also notice that they cannot shift-drag the object in-world because the permissions are applied when the object is rezzed.

This can be a problem if you tend to set your containers fully-permissive. Solution? Don't change the permissions of containers in your Inventory.

Thanks for the explanation, Brent. This is the type of info that should be posted on bulletin boards at telehubs, for all the folks who don't frequent forums.

Thanks you Brent for looking at this. I hope that this information spreads enough so that other content creators can avoid this situation. I only found this bug because I wanted to distribute a no-copy script (door locking mechanism) that I sell inside a copyable and modifiable prims (freely available doors). Could have serious consequences if I gave out a no-copy/resell script in a copy prim.